5609 matches found
Knowledge vulnerable to cross-site request forgery
Overview Knowledge provided by support-project.org is an open-source knowledge base platform. Knowledge contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the Software Update...
Nessus vulnerable to cross-site scripting
Overview Nessus contains a stored cross-site scripting CWE-79 vulnerability in handling .nessus files. Noriaki Iwasaki of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact Arbitra...
smalruby-editor vulnerable to OS command injection
Overview smalruby-editor provided by Ruby Programming Shounendan is web-based editor to create Ruby programs. smalruby-editor containts an OS command injection vulnerability CWE-78. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security...
JVN#09460804: Knowledge vulnerable to cross-site request forgery
Knowledge provided by support-project.org is an open-source knowledge base platform. Knowledge contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the Software Update to the...
JVN#12796388: Nessus vulnerable to cross-site scripting
Nessus contains a stored cross-site scripting CWE-79 vulnerability in handling .nessus files. Impact Arbitrary JavaScript may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the information provided by the developer. Products Affected...
JVN#50197114: smalruby-editor vulnerable to OS command injection
smalruby-editor provided by Ruby Programming Shounendan is web-based editor to create Ruby programs. smalruby-editor containts an OS command injection vulnerability CWE-78. Impact A remote attacker may execute arbitrary OS command on the server where smalruby-editor resides. Solution Update the...
Arbitrary file upload vulnerability in GigaCC OFFICE
Overview GigaCC OFFICE provided by WAM!NET Japan K.K. contains a vulnerability where arbitrary files may be uploaded. WAM!NET Japan K.K. and the following people reported these vulnerabilities to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and WAM!NET Japan K.K. coordinated...
Mis-configuration of Apache Velocity template engine used to send emails in GigaCC OFFICE
Overview GigaCC OFFICE provided by WAM!NET Japan K.K. contains mis-configuration of Apache Velocity template engine which is used to send emails. WAM!NET Japan K.K. and the following people reported these vulnerabilities to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and...
Java (OGNL) code execution in Apache Struts 2 when devMode is enabled
Overview Apache Struts 2 provided by the Apache Software Foundation is a software framework for creating Java web applications. There is a known risk that arbitrary Java OGNL code may be executed in Apache Struts 2 when devMode is enabled in production environment. It is confirmed that...
JVN#92395431: Java (OGNL) code execution in Apache Struts 2 when devMode is enabled
Apache Struts 2 provided by the Apache Software Foundation is a software framework for creating Java web applications. There is a known risk that arbitrary Java OGNL code may be executed in Apache Struts 2 when devMode is enabled in production environment. It is confirmed that proof-of-concept co...
MaruUo Factory's multiple AttacheCase products vulnerable to directory traversal
Overview Multiple AttacheCase products provided by MaruUo Factory contain a directory traversal vulnerability CWE-22 due to a flaw in processing filenames in ATC files. Kazuki Furukawa reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...
AttacheCase vulnerable to directory traversal
Overview AttacheCase is an open source file encryption software provided by HiBARA Software. AttacheCase contains a directory traversal vulnerability CWE-22 due to a flaw in processing filenames in ATC files. Kazuki Furukawa reported this vulnerability to IPA. JPCERT/CC coordinated with the...
JVN#28331227: MaruUo Factory's multiple AttacheCase products vulnerable to directory traversal
Multiple AttacheCase products provided by MaruUo Factory contain a directory traversal vulnerability CWE-22 due to a flaw in processing filenames in ATC files. Impact Decrypting a crafted ATC file may result in creation of an arbitrary file or overwriting of an existing file. Solution Update the...
JVN#83917769: AttacheCase vulnerable to directory traversal
AttacheCase is an open source file encryption software provided by HiBARA Software. AttacheCase contains a directory traversal vulnerability CWE-22 due to a flaw in processing filenames in ATC files. Impact Decrypting a crafted ATC file may result in creation of an arbitrary file or overwriting o...
Cybozu Remote Service Manager fails to verify client certificates
Overview Remote Service Manager provided by Cybozu, Inc. is a software to access internal systems such as Cybozu products via "Cybozu Remote Service". Remote Service Manager fails to verify client certificates. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution...
JVN#19241292: Cybozu Remote Service Manager fails to verify client certificates
Remote Service Manager provided by Cybozu, Inc. is a software to access internal systems such as Cybozu products via "Cybozu Remote Service". Remote Service Manager fails to verify client certificates. Impact A user may access internal web systems that do not allow access from external network. A...
Olive Diary DX vulnerable to cross-site scripting
Overview Olive Diary DX provided by Olive Design contains a cross-site scripting vulnerability CWE-79 due to a flaw in processing the page parameter. Impact An artbitrary script may be executed on the user's web browser. Solution Do not use Olive Diary DX Olive Diary DX is no longer being develop...
WEB SCHEDULE vulnerable to cross-site scripting
Overview WEB SCHEDULE provided by Olive Design contains a cross-site scripting vulnerability CWE-79 due to a flaw in processing the month parameter. Impact An artbitrary script may be executed on the user's web browser. Solution Do not use WEB SCHEDULE WEB SCHEDULE is no longer being developed or...
Olive Blog vulnerable to cross-site scripting
Overview Olive Blog provided by Olive Design contains a cross-site scripting vulnerability CWE-79 due to a flaw in processing the search parameter. Ueki Shuya reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact ...
JVN#60879379: Olive Blog vulnerable to cross-site scripting
Olive Blog provided by Olive Design contains a cross-site scripting vulnerability CWE-79 due to a flaw in processing the search parameter. Impact An arbitrary script may be executed on the user's web browser. Solution Do not use Olive Blog Olive Blog is no longer being developed or maintained. It...
JVN#12124922: WEB SCHEDULE vulnerable to cross-site scripting
WEB SCHEDULE provided by Olive Design contains a cross-site scripting vulnerability CWE-79 due to a flaw in processing the month parameter. Impact An artbitrary script may be executed on the user's web browser. Solution Do not use WEB SCHEDULE WEB SCHEDULE is no longer being developed or...
JVN#71538099: Olive Diary DX vulnerable to cross-site scripting
Olive Diary DX provided by Olive Design contains a cross-site scripting vulnerability CWE-79 due to a flaw in processing the page parameter. Impact An artbitrary script may be executed on the user's web browser. Solution Do not use Olive Diary DX Olive Diary DX is no longer being developed or...
WinSparkle issue where registry value is not validated
Overview When an application that uses WinSparkle is launched, it checks the directory used by WinSparkle for temporary files and deletes any temporary files. This directory path is specified in a registry key. In a situation where an attacker has modified the specific registry value used by this...
Wireshark for Windows issue where an arbitrary file may be deleted
Overview Wireshark for Windows uses a software updating library called WinSparkle. Wireshark for Windows contains an issue where an arbitrary directory of file may be deleted due to an issue contained in WinSparkle JVN96681653. Takashi Yoshikawa of Mitsui Bussan Secure Directions, Inc. reported...
JVN#96681653: WinSparkle issue where registry value is not validated
When an application that uses WinSparkle is launched, it checks the directory used by WinSparkle for temporary files and deletes any temporary files. This directory path is specified in a registry key. In a situation where an attacker has modified the specific registry value used by this library,...
JVN#90813656: Wireshark for Windows issue where an arbitrary file may be deleted
Wireshark for Windows uses a software updating library called WinSparkle. Wireshark for Windows contains an issue where an arbitrary directory of file may be deleted due to an issue contained in WinSparkle JVN96681653. Impact An arbitrary directory or file may be deleted with the privileges of th...
BlueZ userland utilities vulnerable to buffer overflow
Overview BlueZ provides a Bluetooth protocol stack for Linux kernel and userland utilities. parseline function used in some userland utilities contains a buffer overflow vulnerability. Hiroki MATSUKUMA of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with...
H2O use-after-free vulnerability
Overview H2O is an open source web server software. H2O contains a use-after-free vulnerability CWE-416 due to a flaw in the process of upgrading from HTTP/1 to HTTP/2. Kazuho Oku reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Kazuho Oku coordinated...
SKYSEA Client View vulnerable to arbitrary code execution
Overview SKYSEA Client View provided by Sky Co., LTD. is an Enterprise IT Asset Management Tool. SKYSEA Client View agent program contains an issue in processing authentication on the TCP communication with the management console program, which allows an attacker to execute an arbitrary code on t...
JVN#44566208: H2O use-after-free vulnerability
H2O is an open source web server software. H2O contains a use-after-free vulnerability CWE-416 due to a flaw in the process of upgrading from HTTP/1 to HTTP/2. Impact An unauthenticated remote attacker may cause a denial-of-service DoS condition or obtain arbitrary information which may include t...
JVN#84995847: SKYSEA Client View vulnerable to arbitrary code execution
SKYSEA Client View provided by Sky Co., LTD. is an Enterprise IT Asset Management Tool. SKYSEA Client View agent program contains an issue in processing authentication on the TCP communication with the management console program, which allows an attacker to execute an arbitrary code on the client...
JVN#38755305: BlueZ userland utilities vulnerable to buffer overflow
BlueZ provides a Bluetooth protocol stack for Linux kernel and userland utilities. parseline function used in some userland utilities contains a buffer overflow vulnerability. Impact An attacker who can access the product may execute arbitrary code. Solution Update the Software Update to the late...
Cybozu Garoon fails to restrict access permission in To-Dos of Space function
Overview Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains an access restriction flaw in To-Dos of Space function. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the...
Cybozu Garoon fails to restrict access permission in MultiReport filters
Overview Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains an access restriction flaw in MultiReport filters. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information...
Cybozu Garoon fails to restrict access permission in the RSS settings
Overview Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains an access restriction flaw in the RSS settings. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information...
Cybozu Garoon vulnerable to SQL injection
Overview Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains an SQL injection vulnerability CWE-89 due to an issue in "MultiReport" function. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc...
Cybozu Garoon vulnerable to directory traversal
Overview Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains a directory traversal vulnerability CWE-22. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Securit...
Cybozu Garoon vulnerable to cross-site request forgery
Overview Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains a cross-site request forgery vulnerability CWE-352. Yasuda Yuya reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN...
Cybozu Garoon vulnerable to information disclosure
Overview Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains an information disclosure vulnerability CWE-200. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information...
Cybozu Garoon vulnerable to cross-site scripting
Overview Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains a cross-site scripting vulnerability CWE-79 due to an issue in "Messages" function of Cybozu Garoon Keitai. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN...
JVN#12281353: Cybozu Garoon vulnerable to cross-site scripting
Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains a cross-site scripting vulnerability CWE-79 due to an issue in "Messages" function of Cybozu Garoon Keitai. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the...
JVN#13218253: Cybozu Garoon vulnerable to information disclosure
Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains an information disclosure vulnerability CWE-200. Impact Cybozu Garoon uses HTTPS communication, therefore an attacker can not eavesdrop on communication under normal operations. However, if a user conducts a specific...
JVN#17980240: Cybozu Garoon vulnerable to SQL injection
Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains an SQL injection vulnerability CWE-89 due to an issue in "MultiReport" function. Impact A user may execute arbitrary SQL commands. Solution Update the Software Update to the latest version according to the information...
JVN#14631222: Cybozu Garoon fails to restrict access permissions
Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains following multiple vulnerabilities in restricting access permissions. Access restriction flaw in the RSS settings - CVE-2016-4908 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N|...
JVN#15222211: Cybozu Garoon vulnerable to cross-site request forgery
Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, the user may be forced to log out. Solution Update the Software Update to the latest version according to the...
JVN#16200242: Cybozu Garoon vulnerable to directory traversal
Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains a directory traversal vulnerability CWE-22. Impact A user may obtain arbitrary files managed by the product. Solution Update the Software Update to the latest version according to the information provided by the develope...
Mutiple SONY Videoconference Systems do not properly perform authentication
Overview Multiple SONY Videoconference Systems have a default user account which does not require authentication to login to a device CWE-306. This user account has a privilege to view some of the system configuration files. As a result, the device may be manipulated by an attacker with...
JVN#42070907: Multiple SONY Videoconference Systems do not properly perform authentication
Multiple SONY Videoconference Systems have a default user account which does not require authentication to login to a device CWE-306. This user account has a privilege to view some of the system configuration files. As a result, the device may be manipulated by an attacker with administrative...
Apache ActiveMQ vulnerable to cross-site scripting
Overview Apache ActiveMQ provided by the Apache Software Foundation is a middleware that implements Java Message Service. Apache ActiveMQ contains a stored cross-site scripting vulnerability CWE-79. Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA...
JVN#78980598: Apache ActiveMQ vulnerable to cross-site scripting
Apache ActiveMQ provided by the Apache Software Foundation is a middleware that implements Java Message Service. Apache ActiveMQ contains a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update t...